TRENDING

5 ways to protect audio and microphones from malicious exploits

By Luis Artiz

Oct 30, 2013

A secret spy exists on nearly every computer: its microphone. Through remote access trojans (RATs) these hackers are finding their way into even the most secure government and corporate environments. They can capture audio information and send it off as compressed audio files via email, an encrypted stream or pictures for unscrupulous uses. Even computer speakers can be used as microphones, so a computer can still be compromised if its audio and microphone channels are not physically separated.

As more organizations embrace Voice over Internet Protocol (VoIP) phone systems, the risk grows exponentially. Even in secure offices where information may be highly confidential, secure data is being exposed at an alarming rate.

RATs working through a hole in an organization’s firewall or unsecured local area network can run invisibly on host PC and laptops, permitting an intruder to have remote access and control. These intruders, which often rely on zero-day vulnerabilities that are not detected by security software, can remotely activate the use of microphones. Then they can capture sounds from the user and his surrounding environment.

Since many VoIP networks switch data between networks of varying security levels, the exposure risk of electromagnetic interference leakage is compounded. And because most firmware is reprogrammable, the switch logic can be tampered with, and there is no way to track whether it has been opened or compromised. Additionally, the use of memory buffers and other types of data storage can further increase the risk of exploitation. These technologies can even be manipulated by malicious software as users switch between computers.

But a new breed of technology is emerging to prevent malicious audio signal interception. The approach is designed to enable centralized control over audio ports while reducing the possibility of analog “cross-talk” caused by audio signals between computers running at different security levels. Ideally, secure audio and microphone security solutions should support both stereo audio and microphone analog signals and allow users to securely share headsets, speakers and microphones between computers or IP phones without the risk of breach.

By keeping audio signals physically separated from the microphone or speaker signals, secure audio and microphone technologies can eliminate the possibility of leakage between signals on either side. As a result, organizations can prevent signals from being exploited or manipulated by malicious software, thereby maintaining the integrity of the signal when users switch between computers.

Further, the use of a hardware microphone mute button, which can physically shut off a microphone when not in use, can extend system security. Mute buttons cannot be manipulated by software or drivers, thereby assuring even more security.

When selecting options for audio and microphone security to cut the risk of audio signal interception, consider using these practices:

Select solutions with non-reprogrammable firmware, which prevents the ability to tamper with the switch logic.

Place a metal-plate firewall between the audio and microphone printed circuit boards to reduce the potential of electromagnetic interference leakage.

Ensure that tamper-evident tape has not been breached – holographic security labels placed on the enclosure provides a visual indication if the switch has been opened or compromised.

Use secure packaging. Look for “tear away” packaging that ensures the secure delivery of the switch as it is routed to the end user.

It’s estimated that the U.S. government is attacked hundreds of thousands of times every day, making security threats impossible to eliminate altogether. Yet, by following practices to secure audio and microphone usage (especially in government and highly regulated industries including finance and healthcare), users can continue to benefit from the simplicity and low cost of VoIP systems, without the risk.

inside gcn

Reader Comments

Mon, Nov 4, 2013
Mark

You've got to be kidding me?!? Do you have any idea how many people would fry their computers if they tried to "Place a metal-plate firewall between the audio and microphone printed circuit boards..."? Not to mention the fact that those functions are integrated into one audio chip. Even the connections are integrated into a single riser on the motherboard. If you truly want to isolate your input from your output, use separate computers, high quality shielded cables, and lay them out appart from each other.

Fri, Nov 1, 2013

I thought it was much easier to put electric tape over the microphone ports that allow sound to reach the pickup surfaces. It's nice to hack into a computer to listen to nothing. This also works for defeating embedded cameras on laptops, televisions and more. Who would have thought a simple piece of thick plastic tape would work so well.

Fri, Nov 1, 2013
Kenton Sturdevant
Eugene, OR

A very cheap, simple solution that I have used is to obtain a 1/8 inch plug from Radio Shack, terminate it with 10K Ohms of resistance and plug it into your laptop microphone jack. It works by interrupting the mic input line to the sound card. Even laptops whose software senses the impedance change to switch will think an external microphone was plugged in and kill the internal mic.

Fri, Nov 1, 2013
earth

The simple solution it to program your sound channel to constantly play horrendous “music” and turn your speakers off. Anyone that hacks it will have to sit through the “music” in the hopes of ever getting something useful. The two least liked forms of “music” are improv and opera although they can also be mixed into improvisational opera: http://www.theguardian.com/stage/2008/dec/23/comedy-impropera. Have your computer switch between different operas at each phrase. 7-elevens have been using opera to get rid of lingerers for years. Make their ears bleed.

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.